View previous topic :: View next topic |
Author |
Message |
Pipeng Tux's lil' helper
Joined: 23 Jul 2013 Posts: 117
|
Posted: Mon Jul 15, 2024 1:20 am Post subject: [Solved] Basic virtual network with VMs to get internet |
|
|
Hi all!, I'm new in all this about network, as a linux user I knows some basics, but I lack a of knowledge, actually the idea rn is not about where to learn, but a way for a basic user to be able to get working some basic network for VMs.
To fully understand how will works the solutions... we can get to know a lot of things, I have done some research, the main point is, we can create several VMs, but they are usually on NAT, so we can't access them from the host, the point is be able to create a network, connect the VMs and be able to access to them.
Reading, seems the best option is use a bridge (which seems to be very similar to a virtual switch), most of docs describe how to perform this, but there is a tricky part, the docs uses ehternet interface to do it to works, so there is some problems
If we don't have a ethernet connection we will can't route the devices, so no ip will be assigned to any place.
Does not works for Wifi.
We need to use a physical device, which is far from ideal.
Rn in my limitated experience, seems the point is create a bridge, create a virtual device, give internet to it, put the bridge as master to give internet to the bridge, and then use that network on the VMs.
How I'm trying to do it without ethernet (a dummy interface just does not does the trick on the bridge), is hard to test the actal info, there is some good videos and docs like https://www.youtube.com/watch?v=6435eNKpyYw&t=1234s
So here the points, is bridge the best solution? (best not easier), How can we create this network?
In the previous video, here is the used config for a bridge using ethernet, how can we change/update it using a virtual one:
/etc/systemd/network/br.netdev
Code: |
[NetDev]
Name=br0
Kind=bridge
|
/etc/systemd/network/1-br0-bind.netdev
Code: |
[Match]
Name=eno1 #ethernet interface
[Network]
Bridge=br0
|
/etc/systemd/network/2-br0-dhcp.netdev
Code: |
[Match]
Name=br0
[Network]
DHCP=ipv4
|
Solution
After check everything, using the default NAT configuration of VIRSH we can access to all the guest by their Ip, and they will have internet.
Just be cautious with the guest firewalls, some distros can enable https and not http or other ones who can do harder access from the host to their services!
Thx!
Last edited by Pipeng on Tue Jul 23, 2024 1:57 pm; edited 1 time in total |
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 556
|
Posted: Mon Jul 15, 2024 2:56 pm Post subject: |
|
|
Some of the extensions are wrong. 1-br0-bind.netdev and 2-br0-dhcp.netdev should end in .network, not .netdev. |
|
Back to top |
|
|
Pipeng Tux's lil' helper
Joined: 23 Jul 2013 Posts: 117
|
Posted: Mon Jul 15, 2024 4:04 pm Post subject: |
|
|
Hi yes, sorry I wrote them wrong on the post, they are using the right names.
Still the files are a example using a physical interface, instead a virtual one to achieve this. |
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 556
|
Posted: Mon Jul 15, 2024 4:36 pm Post subject: |
|
|
I don;'t think wifi support bridging. The problem is the MAC (BSSID) address is part of the wifi association, so its not possible to carry "foreign" MACs over it .You have to use a routed network. If you libvirt, it has optional firewalld integration for help with poking holes in the NAT. |
|
Back to top |
|
|
Pipeng Tux's lil' helper
Joined: 23 Jul 2013 Posts: 117
|
Posted: Mon Jul 15, 2024 4:47 pm Post subject: |
|
|
Yes, we can't use wifi, that is why I thought in a virtual interface isntead, I tryied it but didn't worked, how we can do what you suggests? |
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 556
|
Posted: Mon Jul 15, 2024 6:19 pm Post subject: |
|
|
If you are using libvirt, it already creates a 192.168.122.0/24 NAT network for you, along with an interface: virbr0. IF you also use virt-manager you can delete it and create a new one Edit->Connection Details->Virtual Networks.
You have 2 choices: either routing with NAT (called "nat" in libvirt) , or routing without NAT (called "routed" in libvirt). In NAT mode, all traffic appears to come from the VM host. In route mode, traffic appears to come from a different network. In both cases, no configuration is necessary via systemd-networkd: libvirt will manage the interface on its own. |
|
Back to top |
|
|
Pipeng Tux's lil' helper
Joined: 23 Jul 2013 Posts: 117
|
Posted: Mon Jul 15, 2024 10:00 pm Post subject: |
|
|
Hi, yes, the main issue with the default configurations is that we can't reach them from the host, which is one of the points of the post. |
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 556
|
Posted: Tue Jul 16, 2024 12:34 am Post subject: |
|
|
How exactly are you trying to reach them? You won't be able to directly reach NAT'ed guests from the outside without forwarding rules, but routed guests should be reachable normally.
Fist, shut down all virtual machines.
If you want to use a routed network, use a file like this one:
local.xml:
Code: | <network>
<name>local</name>
<bridge name="virbr1"/>
<forward mode="route" dev="${IFACE}"/>
<ip address="192.168.122.1" netmask="255.255.255.0">
<dhcp>
<range start="192.168.122.2" end="192.168.122.254" />
</dhcp>
</ip>
</network> |
Replace ${IFACE} with you wireless network interface (like wlo1 and customize the file as you see fit (If you network already has a 192.168.122.0 network, pick a different one)
Then do:
Code: | virsh -c qemu:///system net-autostart default --disable
virsh -c qemu:///system net-destroy default
virsh -c qemu:///system net-define local.xml
virsh -c qemu:///system net-start local
virsh -c qemu:///system net-autostart local |
This will disable the default network and enable yours.
Then, for each guest, change the network source on the NIC to be the new network (Virtual network 'local'). Then restart your guests. They should now be accessible from any host on your network.
If their still not accessible off the host, check to see whether the guests can access the Internet and whether the host can reach the guests. |
|
Back to top |
|
|
Pipeng Tux's lil' helper
Joined: 23 Jul 2013 Posts: 117
|
Posted: Tue Jul 16, 2024 2:35 am Post subject: |
|
|
Hi! thx for the help.
Sadly there is some issues... from the VMs... I don't have access to internet, I try a ubuntu iso and seems I got an ip from what the ui shows, but ip link list does not agree with it, shows no ip.
Code: |
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:eb:f4:52 brd ff:ff:ff:ff:ff:ff
|
Maybe because of the same reason, the routed networks put all the vms veeery slow, maybe this shows more on the rocky linux because it waits for the network to be ready, while in ubuntu is in the background.
Edited:
Here the final network file
Code: |
<network>
<name>local</name>
<uuid>3188b327-2375-4251-90d8-71065a926256</uuid>
<forward dev="wlo1" mode="route">
<interface dev="wlo1"/>
</forward>
<bridge name="virbr2" stp="on" delay="0"/>
<mac address="52:54:00:b0:ac:9c"/>
<ip address="192.168.123.1" netmask="255.255.255.0">
<dhcp>
<range start="192.168.123.2" end="192.168.123.254"/>
</dhcp>
</ip>
</network>
|
|
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 556
|
Posted: Tue Jul 16, 2024 3:56 pm Post subject: |
|
|
That's normal. You won't see the IP from the "outside". Only the "inside" adapter sees the IP.
If you don;t have access to the Internet from your guests, make sure IP Forwarding is enabled on the host. |
|
Back to top |
|
|
Pipeng Tux's lil' helper
Joined: 23 Jul 2013 Posts: 117
|
Posted: Tue Jul 16, 2024 5:06 pm Post subject: |
|
|
Hi, the adapter I post is from the VM, they are not getting an ip.
How can I check the forwading is enabled?
thx. |
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 556
|
Posted: Tue Jul 16, 2024 7:44 pm Post subject: |
|
|
Ok, the guests should be getting DHCP leases from the host, and the in-guest network adapters should have IP addresses. IF it doesn't, it could be one of 2 things: either there's something wrong with libvirt's network configuration, or the client is stuck on it old IP address.
Fir the first case, execute Code: | virsh -c qemu:///system net-list | and verify your network ("local") is active, autostarted and persistent. Second, make sure each guest is attached to the cxorrect interface. For each guest: Code: | virsh -c qemu:///system domiflist <domainname> |
It should display your bridge "vibr2" in the "Source" column
If its correct, but its still nto working, shut down your VM are restart the libvirtd service.
If it doesn't work after that, the client may have a "stuck" lease - it wants the old least and refuses the DHCPNAK. In htat case,, you'll need to release and renew the current lease in the gueast, but instructions for that vary dependong on the guest. For Linux guests, you may need to shut down network service and delete the least files by hand.
For IP Forwarding,use the following command to show it: Code: | sysctl net.ipv4.ip_forward | It'll output the current value. To change it: Code: | sysctl -w net.ipv4.ip_forward=1 |
This, however, will not perist across a reboot. To make it persist varies depending on your init system (systemd or OpenRC). |
|
Back to top |
|
|
Pipeng Tux's lil' helper
Joined: 23 Jul 2013 Posts: 117
|
Posted: Wed Jul 17, 2024 1:20 am Post subject: |
|
|
Hi!
I can confirm virsh is using the right network (is not active by default, by I start it manually from the gui before create the VM), and forwading is active.
About the vms:
Code: |
virsh -c qemu:///system domiflist ubuntu24.04
Interface Type Source Model MAC
------------------------------------------------------------
vnet0 network local virtio 52:54:00:b1:56:3c
|
Why it should show "virbr2" in the source? actually is showing the actual network we have configured, which is "local".
Thx! |
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 556
|
Posted: Wed Jul 17, 2024 2:51 am Post subject: |
|
|
OK, its looks different on mine because mine is Ethernet and bridged. Your looks correct for a routed network. The guests should be getting IP address from the host's dnsmasq (which by started by libvirtd). Is it still not working?
IF its still not working and you haven't already done it, shut down libvirtd, make sure dnsmasq is not running, then restart libvirtd and see if your guests can get IP's after that. |
|
Back to top |
|
|
Pipeng Tux's lil' helper
Joined: 23 Jul 2013 Posts: 117
|
Posted: Wed Jul 17, 2024 12:36 pm Post subject: |
|
|
Hi, still does not works.
I have not enabled dnsmasq service.
Libvirt is using dnsmasq to assign ip, even in the logs we can see it already assigned an ip to the guest:
Code: |
jul 17 08:26:02 pipe-pc dnsmasq[6478]: using nameserver 200.75.0.5#53
jul 17 08:26:02 pipe-pc dnsmasq[6478]: read /etc/hosts - 4 names
jul 17 08:26:02 pipe-pc dnsmasq[6478]: read /var/lib/libvirt/dnsmasq/local.addnhosts - 0 names
jul 17 08:26:02 pipe-pc dnsmasq-dhcp[6478]: read /var/lib/libvirt/dnsmasq/local.hostsfile
jul 17 08:27:17 pipe-pc dnsmasq-dhcp[6478]: DHCPDISCOVER(virbr2) 52:54:00:51:2a:e9
jul 17 08:27:17 pipe-pc dnsmasq-dhcp[6478]: DHCPOFFER(virbr2) 192.168.123.188 52:54:00:51:2a:e9
jul 17 08:27:17 pipe-pc dnsmasq-dhcp[6478]: DHCPDISCOVER(virbr2) 52:54:00:51:2a:e9
jul 17 08:27:17 pipe-pc dnsmasq-dhcp[6478]: DHCPOFFER(virbr2) 192.168.123.188 52:54:00:51:2a:e9
jul 17 08:27:17 pipe-pc dnsmasq-dhcp[6478]: DHCPREQUEST(virbr2) 192.168.123.188 52:54:00:51:2a:e9
jul 17 08:27:17 pipe-pc dnsmasq-dhcp[6478]: DHCPACK(virbr2) 192.168.123.188 52:54:00:51:2a:e9 ubuntu
|
But when we check the guest, there is ip if we check the gui, but.. when we ping something, there is 100% of package lost.
Sorry, the ip link list command does not shows the actual ip of the interfaces, I get confused with it.
So, there is ip, but no internet. |
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 556
|
Posted: Wed Jul 17, 2024 2:22 pm Post subject: |
|
|
ok, check a few things:
From the guest, ping:
The host
Another device on the LAN
Your router
An Internet host
See which one succeed and which ones fail. |
|
Back to top |
|
|
Pipeng Tux's lil' helper
Joined: 23 Jul 2013 Posts: 117
|
Posted: Wed Jul 17, 2024 3:42 pm Post subject: |
|
|
Hi, here the results:
Host Ip: 192.168.5.130 (Ok)
Host Lan: 192.168.5.22 (100% packet lost)
Host Router: 192.168.5.1 (Destination Host Unreachable)
Guest Ip: 192.168.123.253
Guest router (?: 192.168.123.1 (Ok)
Ping to google: 100% packet lost |
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 556
|
Posted: Wed Jul 17, 2024 6:39 pm Post subject: |
|
|
Ok so it looks like packets are correct being routed off the host,, but they can't get back.
In your router, try adding a static route. You want to route everything to the 192.168.123.0/24 network to your VM's host address (192.168.5.130) in your case. |
|
Back to top |
|
|
Pipeng Tux's lil' helper
Joined: 23 Jul 2013 Posts: 117
|
Posted: Wed Jul 17, 2024 7:44 pm Post subject: |
|
|
Is there a way to achieve that locally? The router belongs to the internet company, I don't have access to it. |
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 556
|
Posted: Thu Jul 18, 2024 1:35 am Post subject: |
|
|
That's a problem. Without a route, you can get packets out, but when they come into the router, the router will send them to its default gateway (the ISP) rather then your network. In addition the router may have a firewall that prevent anything not in its network (192.168.5.024) is rejected on the internal interfaces.
The only way top make it work transparently to other hosts is through NAT or bridging. Routing required control of the main router. The mainrouter also needs to send ICMP REDIRECT packets to the internal hosts telling them how to find the guest network (most will do this if the have a static route), otherwise a route will need to be added to all clients on the networks in addition to the guest network. |
|
Back to top |
|
|
Pipeng Tux's lil' helper
Joined: 23 Jul 2013 Posts: 117
|
Posted: Thu Jul 18, 2024 2:57 am Post subject: |
|
|
Which one could we try? the default NAT has the guest hide, while bridging, should be done with a virtual interface instead of a physical one, even if I know it, I does not know how to configure it. |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22619
|
Posted: Thu Jul 18, 2024 2:20 pm Post subject: |
|
|
NAT is generally easier to set up. When set up properly, the host can connect to the guests without issue. Other physical machines will need to connect to the host and let a NAT rule on the host pass the traffic to the guest. |
|
Back to top |
|
|
Pipeng Tux's lil' helper
Joined: 23 Jul 2013 Posts: 117
|
Posted: Thu Jul 18, 2024 2:29 pm Post subject: |
|
|
how can we configure it? can you guide me plis? thx! |
|
Back to top |
|
|
salahx Guru
Joined: 12 Mar 2005 Posts: 556
|
Posted: Thu Jul 18, 2024 5:00 pm Post subject: |
|
|
If you still have the default network, we need to re-enable it:
Code: |
virsh -c qemu:///system net-autostart local --disable
virsh -c qemu:///system net-destroy local
virsh -c qemu:///system net-start ldefault
virsh -c qemu:///system net-autostart default
|
Then attach all your VMs the the "default" network. That will restore NAT. Your guests should be able to get out, but if you have any servers on the guests, they won't be accessible without additional configuration.
If you undefined the "default" network, you can redefine it by using the file at https://github.com/libvirt/libvirt/blob/master/src/network/default.xml.in
Code: |
virsh -c qemu:///system net-define /dev/stdin
[Paste the content from default.xml.in]
[Press Control+D]
|
|
|
Back to top |
|
|
Pipeng Tux's lil' helper
Joined: 23 Jul 2013 Posts: 117
|
Posted: Thu Jul 18, 2024 7:31 pm Post subject: |
|
|
Hi, thx, and how can we do the host access to the guest with NAT? Hu said is possible to do. |
|
Back to top |
|
|
|